Skip to main content

What ASIL Actually Means

Think of ASIL as a “difficulty setting” for safety work. A video game might have Easy/Normal/Hard/Extreme modes—ASIL uses QM/A/B/C/D. Each level prescribes increasingly strict requirements for:
  • Development process rigor (reviews, independence, formal methods)
  • Verification depth (test coverage, fault injection, architectural analysis)
  • Documentation completeness (traceability, rationale, safety case evidence)
  • Hardware safety metrics (fault tolerance, diagnostic coverage, random failure rates)
Higher ASIL means more effort, more time, more cost—but also more confidence that your system won’t kill anyone.
A common misconception: ASIL is derived from hazards, not assigned to components arbitrarily. You don’t “make” something ASIL D—you discover through HARA that a hazard has ASIL D severity, then allocate that requirement to the safety goals and their implementing components.

The Five ASIL Levels

LevelMeaningSafety RequirementTypical Scenarios
QMQuality ManagementNo specific ASIL requirements—standard automotive QM processes sufficientInfotainment volume control failure, interior mood lighting glitch
ASIL ALowest functional safetyBasic hazard analysis, standard V-Model verificationRear wiper intermittent failure (limited visibility impact)
ASIL BModerate functional safetyEnhanced verification, architectural analysis, increased independenceElectric window anti-pinch failure, headlight aim degradation
ASIL CHigh functional safetyMandatory independent assessment, hardware safety analysis, extensive testingElectronic stability control (ESC) degradation, adaptive cruise control failure
ASIL DMaximum functional safetyProven-in-use components, formal methods, exhaustive testing, safety manager gatesUnintended acceleration, brake-by-wire total failure, AEB failure to detect pedestrian
QM (Quality Management) is technically not an ASIL—it means “no ASIL applies.” Standard automotive quality processes (IATF 16949, production validation testing) are deemed sufficient for non-safety-critical failures.

How ASIL is Determined: The Three-Dimensional Risk Matrix

ISO 26262-3:2018 defines ASIL as the output of a three-input risk assessment: 
ASIL = f(Severity, Exposure, Controllability)
During HARA (Hazard Analysis and Risk Assessment), you evaluate each hazard along three dimensions:

Severity (S0–S3): Injury Outcome

ClassDescriptionExamples
S0No injuriesCosmetic damage, minor inconvenience
S1Light to moderate injuriesWhiplash, minor lacerations, bruising
S2Severe injuries (survival probable)Broken bones, severe cuts requiring surgery, concussion
S3Life-threatening or fatal injuriesHead trauma, internal bleeding, spinal injury, death

Exposure (E0–E4): Operational Situation Probability

ClassProbability RangeExamples
E0Incredible (practically impossible)Simultaneous GPS failure + map database corruption + manual override disabled
E1Very low (<1% of operating time)Driving on ice in desert climate, extreme fog in arid region
E2Low (1–10% of operating time)Heavy rain, nighttime highway driving
E3Medium (10–50% of operating time)Urban traffic, parking maneuvers
E4High (>50% of operating time)Normal cruising, stop-and-go commuting

Controllability (C0–C3): Driver’s Ability to Avoid Harm

ClassAvoidance ProbabilityExamples
C0>99% of drivers can avoid harmMinor torque fluctuation with 5+ seconds to react, gentle steering pull
C1>90% of drivers can avoid harmSlight brake pedal feel change, gradual power reduction with warning
C2>60% of drivers can avoid harmModerate steering torque spike, delayed throttle response requiring evasive maneuver
C3<90% of drivers can avoid harmSudden brake failure at highway speed, unintended acceleration in traffic, total steering lock
C-rating must account for driver awareness time, required action complexity, and environmental conditions. Emergency braking on dry pavement (C1) becomes C3 on black ice. Always assess the worst-case realistic scenario.

The ISO 26262 ASIL Determination Matrix

ISO 26262-3:2018 Table 4 defines the normative ASIL lookup. Here’s the complete matrix: Severity S1 (Light/Moderate Injuries)
E1E2E3E4
C1QMQMQMA
C2QMQMAB
C3QMAAB
Severity S2 (Severe Injuries, Survival Probable)
E1E2E3E4
C1QMAAB
C2ABBC
C3ABCC
Severity S3 (Life-Threatening/Fatal Injuries)
E1E2E3E4
C1ABBC
C2BCCD
C3BCDD
Special cases:
  • Any combination with S0 (no injuries) → QM
  • Any combination with E0 (incredible exposure) → QM
  • Any combination with C0 (>99% avoidance) → QM
This matrix is hardcoded in TestAuto2’s HARA Risksheet as an automatic formula—you select S/E/C dropdowns, the ASIL cell updates instantly.

ASIL Lifecycle: From Hazard to Hardware

ASIL flows downstream through the V-Model via inheritance and decomposition: diagram Key principle: You can never lower ASIL without approved decomposition. If a hazard is ASIL D, derived safety goals start at ASIL D. You may decompose D → C+B or D → B+B+B using architectural redundancy, but arbitrary downgrading violates ISO 26262. In TestAuto2, ASIL inheritance is automatic: Safety Goal work items use the inheritASIL formula to pull ASIL from their parent hazard via derivedFrom link role.

ASIL Decomposition (Advanced)

ISO 26262-9 allows ASIL decomposition—splitting a high-ASIL requirement into multiple lower-ASIL components with architectural independence:
  • ASIL D → ASIL C + ASIL B (two independent implementations, dual-redundancy)
  • ASIL D → ASIL B + ASIL B + ASIL B (three-way voting, triple-modular redundancy)
Requirements for valid decomposition:
  1. Architectural independence (no common-cause failures between decomposed elements)
  2. Freedom from interference (one element’s failure cannot cascade to others)
  3. Sufficient redundancy (voting/monitoring detects failures before harm occurs)
While decomposition reduces per-component development cost (ASIL B verification is cheaper than ASIL D), it increases system complexity—you now have 2-3 components to integrate, verify for independence, and analyze for common-cause failures. Only decompose when architectural redundancy is already justified.
TestAuto2 does not automatically enforce decomposition—it must be managed manually through custom fields and traceability links to decomposed safety requirements.

Color-Coded Visual System

TestAuto2 applies progressive color-coding to ASIL values for instant visual risk assessment:
  • QM: Gray (#808080) — No safety requirement
  • ASIL A: Green (#58FF59) — Lowest functional safety
  • ASIL B: Orange (#FFA500) — Moderate functional safety
  • ASIL C: Light Red (#FF6347) — High functional safety
  • ASIL D: Dark Red/Purple (#8B0000) — Maximum functional safety
This color scheme appears in:
  • HARA Risksheet cells (ASIL column and row headers)
  • Dashboard summary cards (ASIL distribution statistics)
  • Reports (ISO 26262 HARA Report, Safety Readiness Scorecard)
  • Traceability matrices (safety goal → requirement allocation views)
The gradient follows automotive industry convention: green = acceptable risk, red/purple = critical risk requiring maximum rigor.

Common Misconceptions

”We can assign ASIL based on component cost”

False. ASIL is derived from hazard analysis, not component value. A 2sensorcanbeASILDifitsfailurecausesalifethreateninghazard(e.g.,brakepressuresensor).Conversely,a2 sensor can be ASIL D if its failure causes a life-threatening hazard (e.g., brake pressure sensor). Conversely, a 500 infotainment module is QM if its failure only affects entertainment.

”ASIL D means zero defects”

False. ASIL D prescribes process rigor, not perfection. It requires probabilistic hardware safety metrics (e.g., <10 FIT random failure rate for single-point faults), extensive verification (e.g., MC/DC code coverage), and architectural constraints (e.g., dual-redundancy). Defects can still occur—ASIL D ensures they’re rare and detectable.

”All automotive components are ASIL-rated”

False. Only safety-related components (those whose failure contributes to hazards with S1+ severity) receive ASIL ratings. Door lock motors, seat heaters, USB charging ports—typically QM or not safety-rated at all.

”ASIL A is easy, so we can skip verification”

False. ASIL A still requires ISO 26262 compliance—hazard analysis, architectural design per Part 4, verification per Part 8. It’s less rigorous than ASIL D (e.g., no mandatory independence, reduced test coverage), but it’s not a free pass.

Practical Application in TestAuto2

To work with ASIL in TestAuto2:
  1. During HARA: Open the HAZID Risksheet, assess S/E/C for each hazard—ASIL calculates automatically per ISO 26262 matrix
  2. Derive Safety Goals: Link Safety Goal work items to hazards via derivedFrom—ASIL inherits automatically
  3. Allocate to Requirements: Refine safety goals into functional safety requirements, preserving or decomposing ASIL
  4. Track with Dashboards: Home Dashboard shows ASIL distribution (percentage of hazards at each level)
  5. Generate Reports: ISO 26262 HARA Report includes ASIL matrix, color-coded hazard register, and distribution summary
For step-by-step instructions:

Reference Materials